Privacy Policy

Effective: 8 April 2026

Happening ("the Service") is operated by Lili's Ark Limited, a company registered in England and Wales (company number 15424953) ("we", "us", "our"). We are the data controller for your personal data under the UK General Data Protection Regulation and the Data Protection Act 2018.

This policy explains what data we collect, why, how we protect it, and the choices you have. It applies to the Happening mobile apps (iOS and Android), the Happening website, and any related services.

1. Data We Collect

We only collect the data we need to run the Service. We do not buy data from data brokers and we do not enrich your profile with third-party data.

Account data: name, email address, date of birth, profile picture (optional), display preferences.
Authentication data: a hashed password (if you sign up with email), or an OAuth identifier from Apple Sign-In or Google Sign-In (your Google or Apple account email and display name are received during sign-in and stored as part of your profile). We never see your Apple or Google password.
Event data: event names, descriptions, textual location labels you type (for example, "The Crown pub, Brixton"), date ranges, the availability you submit, and your responses to invitations. We do not collect or store your device's precise GPS location; see Section 15b below.
Photo library / camera (optional): the system photo picker and camera are used only when you tap "Change profile picture". We receive the single image you pick or capture and store it against your profile. We never access your wider photo library or camera outside that flow.
Friend and group data: the people you have added as friends and the groups you create or belong to.
Guest data: if you respond to an invite as a guest (without registering), we collect your name, email address, and the availability you submit, solely to operate the event.
Device data: push notification tokens, the device platform (iOS, Android, or web) and app version you use to access the Service.
Technical data: IP address (for rate limiting, abuse prevention, and security logs), HTTP user agent, timestamps of account activity.
Diagnostic data: crash reports and error events captured by Sentry, including stack traces, app version, OS version, and a non-identifying installation ID. Sentry is configured to not collect personally identifying information by default.
Reports and moderation data: if you report a user, group, or event, we keep a record of the report and any related content for safety purposes.

We do not collect: precise device GPS location, contacts, your wider photo library, microphone, health data, financial data, browsing history, calendar events (on-device reads only — see Section 15), or advertising identifiers.

2. App Tracking Transparency (iOS)

Happening does not track you across apps or websites owned by other companies. We do not use the iOS IDFA, do not share data with data brokers, and do not display third-party advertising. Because we do not track, the iOS App Tracking Transparency prompt is not shown.

3. How We Use Your Data

To operate the Service: creating events, finding mutually available dates, sending invitations, recording responses.
To send transactional notifications: invitations, reminders, results, friend requests, and account security messages by email and push. You can unsubscribe from non-essential emails via the link in each email or in Settings.
To keep the Service safe: rate limiting, fraud prevention, abuse detection, content moderation, and enforcing our Terms of Service.
To provide customer support when you contact us.
To improve reliability: diagnosing crashes and errors, fixing bugs, and monitoring performance.
To comply with legal obligations and to establish, exercise, or defend legal claims.

We do not sell your personal data. We do not use your data for advertising, behavioural profiling, or to train machine learning models.

4. Lawful Basis (UK GDPR)

Contract (Article 6(1)(b)): processing necessary to provide the Service you signed up for, including account management, event coordination, and transactional notifications.
Legitimate interests (Article 6(1)(f)): keeping the Service secure, preventing abuse, diagnosing errors, and enforcing our terms. We balance these interests against your rights and freedoms.
Consent (Article 6(1)(a)): when a guest provides their name, email, and availability through a share link; and where required, push notification permission on your device.
Legal obligation (Article 6(1)(c)): when we are required by law to retain or disclose data (for example, in response to a valid court order).

5. Who We Share Data With

We share your data with the following categories only, and only to the extent necessary:

Other participants in your events: your display name, profile picture, availability, and response status are visible to people you invite or who are invited alongside you.
Friends and group members: people you add as friends or share a group with can see your display name and profile picture.
Sub-processors (data processors acting on our instructions) — see Section 6 for the full list.
Authentication providers: Apple and Google, only during the sign-in process when you choose to use them.
Law enforcement and regulators: only when legally compelled by a valid request, and only the minimum data required.
Acquirers: if Lili's Ark Limited is acquired or merges with another company, your data may transfer to the new owner. We will notify you and your rights under this policy will continue to apply.

We do not share data with advertising networks, data brokers, or analytics platforms beyond what is described in Section 6.

6. Sub-Processors and International Transfers

Wherever possible, we keep your data inside the UK. Some of our sub-processors are headquartered outside the UK and EEA — in those cases, we rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or an adequacy decision to lawfully transfer the data.

DigitalOcean — application and database hosting. Data is stored in London, United Kingdom (LON1 region).
Resend — transactional email delivery. Servers in the United States. Transfers covered by the EU-US Data Privacy Framework and SCCs.
Expo — push notification delivery. Servers in the United States. Transfers covered by SCCs.
Apple Push Notification Service / Firebase Cloud Messaging — used to deliver push notifications to your device.
Sentry — crash and error reporting. Hosted in the European Union.
Apple, Google — Sign-in authentication when you choose these providers.

We review our sub-processors regularly and require each one to provide appropriate technical and organisational safeguards.

7. Data Storage and Security

We take security seriously. Our measures include:

All data encrypted in transit using TLS 1.2 or higher.
Passwords stored as salted BCrypt hashes — we never see or store your password in plain text.
Short-lived access tokens (15 minutes) and HTTP-only refresh tokens.
Strict role-based access controls; only a small number of authorised personnel can access production systems.
Automated daily database backups, retained for 14 days, encrypted at rest.
Rate limiting and brute-force protection on authentication endpoints.
Server-side input validation, output escaping, and a Content Security Policy.
Continuous monitoring and crash reporting to detect issues quickly.

No system is perfectly secure. If you suspect a security issue, please email security@gethappening.app.

8. Data Breach Notification

If we suffer a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, in accordance with UK GDPR. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

9. Data Retention

Active accounts: retained for as long as your account is active.
Inactive accounts: if your account has shown no activity for 24 months, we will email you and, if you do not return, delete the account.
Deleted accounts: all personal data is permanently and irreversibly deleted immediately upon deletion. A small audit trail (account ID and deletion timestamp) is kept for security and abuse-prevention purposes.
Cancelled events: automatically deleted 30 days after cancellation.
Past events: automatically deleted 365 days after the event date.
Guest records: anonymised 90 days after the related event ends.
Reports and moderation records: retained for up to 2 years to allow us to track repeat offenders.
Server logs: retained for up to 30 days, then automatically deleted.
Crash and error reports: retained for up to 90 days.
Backups: rolling 14-day window, then permanently deleted.

10. Your Rights

Under UK GDPR, you have the right to:

Access your data — request a copy via Settings or email us.
Rectify your data — edit your profile at any time, or contact us if you cannot.
Erase your data — delete your account from Settings → Delete Account. This is immediate and permanent. You can also email us to request deletion.
Restrict processing — contact us if you want us to stop using your data while a dispute is resolved.
Object to processing — contact us if you object to how we use your data based on legitimate interests.
Port your data — request a machine-readable export.
Withdraw consent — unsubscribe from non-essential emails or delete your account at any time.
Lodge a complaint with the Information Commissioner's Office (ICO), the UK regulator for data protection.

To exercise any of these rights, contact privacy@gethappening.app. We will respond within 30 days.

11. How to Delete Your Account

You can delete your account at any time directly from the app:

Open Happening and go to Settings.
Scroll to the bottom and tap Delete Account.
Confirm — by entering your password if you signed up with email, or by tapping the confirmation button if you signed in with Google or Apple.

You can also delete your account from our website at gethappening.app/delete-account.

Deletion is immediate and irreversible. All personal data is removed from our active systems immediately and from backups within 14 days. If you cannot access your account for any reason, email privacy@gethappening.app from the address linked to the account and we will delete it for you.

12. Children's Privacy

Happening is not directed at children. You must be at least 16 years old to create an account or use the Service. We do not knowingly collect personal data from anyone under 16. If we become aware that a user is under 16, we will delete their account and any associated data without undue delay. If you are a parent or guardian and believe your child has provided personal data to us, please contact privacy@gethappening.app.

13. Cookies and Local Storage

The Happening website uses a single strictly necessary HTTP-only cookie to maintain your login session (the refresh token). The Happening mobile apps store authentication tokens and your theme preference in secure local storage on your device. We do not use analytics cookies, advertising cookies, or third-party tracking cookies. No consent banner is required because we only use strictly necessary storage.

14. Push Notifications

Push notifications are not yet enabled in this release. When we turn them on, we will send only transactional messages (invitations, reminders, results, friend requests); we will request permission first, and you can revoke it in your device settings.

15b. Location Data and Google Places Autocomplete

Happening does not read your device's GPS, Wi-Fi, or cell-tower location at any point. The only location data we ever hold is the free-text "Where?" field you type when creating an event (for example, "The Crown, Brixton"). We may offer suggestions as you type — those suggestions come from the Google Places Autocomplete API. When you interact with the suggestion list, the characters you have typed are sent to Google Places to fetch matching places; Google's use of that data is governed by the Google Privacy Policy. If you prefer not to use autocomplete, you can simply type a location label without picking a suggestion.

15. Calendar Integration (Optional)

The Happening mobile apps offer an optional feature that highlights, on the availability picker, the dates on which you already have something on your device calendar. This feature is off by default and only runs after you enable it from Settings → Calendar conflicts and grant the system calendar permission.

When you enable this feature:

Your device calendar is read only on your phone. The events themselves never leave your device and are never sent to our servers or to any third party.
We only read calendar entries for the date range of the event you are currently looking at.
We use the read-only data to compute a list of "busy" dates in memory. We do not store calendar event titles, descriptions, attendees, or locations anywhere.
You can revoke calendar access at any time, either by turning the toggle off in Happening Settings or by revoking the permission in your device's system settings. The feature stops working immediately.
The feature is not available on the Happening website — it is mobile-only.

16. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.

17. Third-Party Links

The Service may contain links to third-party websites or services (for example, in event descriptions). We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies.

18. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or in-app notification at least 14 days before they take effect. The "Effective" date at the top of this page indicates when the latest version was published. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

19. Contact

Lili's Ark Limited
Company number: 15424953 (England and Wales)
Privacy enquiries: privacy@gethappening.app
Security enquiries: security@gethappening.app
General support: support@gethappening.app

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at any time.